By NHI Mgmt Group Editorial TeamPublished 2026-07-03Domain: Governance & RiskSource: RSA Security

TL;DR: Passwords remain one of the top two initial access vectors, while banks face account takeover fraud, credential stuffing, and relay attacks that bypass SMS and push-based MFA, according to RSA Security and the 2026 Verizon DBIR. FIDO2 passkeys and post-quantum planning shift the control point from shared secrets to cryptographic assurance and regulatory readiness.


At a glance

What this is: This is RSA Security’s analysis of why banking authentication is moving from passwords to FIDO2 passkeys, with PSD3, DORA, and post-quantum planning shaping the roadmap.

Why it matters: It matters because IAM teams must treat authentication design, recovery flows, and audit evidence as one operating model across human users, privileged admins, and banking-facing digital identity programmes.

By the numbers:

👉 Read RSA Security’s analysis of passwordless banking, PSD3, and post-quantum security


Context

Passwords are still a structural weakness in banking because the attack surface is not the login box alone. Recovery paths, help desk escalation, SMS delivery, and push approvals all create opportunities for credential theft, relay, or social engineering that shared secrets cannot withstand.

For IAM and authentication teams, the problem is no longer simply user convenience versus friction. Banking now demands phishing-resistant authentication, audit-ready recovery, and a path to quantum-resilient cryptography, which means identity programmes have to be designed as a control architecture rather than a collection of login methods.


Key questions

Q: How should banks implement phishing-resistant authentication without breaking recovery flows?

A: Banks should remove passwords from the primary path and then harden enrollment, reset, and recovery with the same assurance level. If the recovery process still relies on SMS, help desk shortcuts, or weak identity checks, attackers will target that path instead of the login screen. The control is only effective when the weakest fallback is also phishing resistant.

Q: Why do passwords and SMS-based MFA remain high-risk in banking?

A: Passwords and SMS are high-risk because they depend on shared secrets or interceptable delivery channels. Attackers can steal, relay, or redirect them through phishing proxies, SIM swaps, and social engineering. In banking, that means the attacker does not need to break cryptography, only the trust path surrounding the credential exchange.

Q: When should banking teams prioritise device-bound passkeys over synced passkeys?

A: Banking teams should prioritise device-bound passkeys for privileged users, high-value transactions, and any flow where stronger assurance matters more than convenience. Synced passkeys are better suited to lower-risk retail use cases, but they may not satisfy the same control expectations for administrators or sensitive payment approvals.

Q: Who is accountable when phishing-resistant authentication is available but not deployed?

A: Accountability sits with the identity, risk, and security owners who set authentication policy and justify exceptions. If regulators expect phishing resistance and the institution keeps weaker methods in place, the burden shifts to the programme owner to explain the residual fraud exposure and the business decision behind it.


Technical breakdown

Why phishing-resistant authentication matters in banking

Phishing-resistant authentication changes the trust model by binding credentials to the relying party domain and removing reusable shared secrets from the flow. With FIDO2, the private key stays on the user device and the bank verifies a signature challenge, so attackers cannot replay a password, intercept an OTP, or reuse the credential on a lookalike site. That is materially different from SMS or push MFA, which still relies on a shared verification path that can be fooled in real time. In banking, this matters because the attacker goal is usually account takeover, not just credential theft.

Practical implication: treat passkeys as an authentication architecture decision, not a user-experience enhancement.

PSD3, PSR1, and transaction signing requirements

PSD3 and PSR1 push banking authentication toward stronger phishing resistance and more defensible strong customer authentication. The key architectural point is dynamic linking, where the authentication step is bound to a specific payment amount and beneficiary, so the approval cannot be replayed for a different transaction. That creates a much tighter link between identity proofing and transaction authorisation. It also means institutions need multi-authenticator support, because regulators expect alternative methods for users who cannot use the primary one. Compliance is therefore tied to both method strength and operational flexibility.

Practical implication: validate that login, payment approval, recovery, and fallback methods all satisfy the same policy intent.

Post-quantum cryptography and banking identity

Post-quantum planning matters because authentication systems depend on public-key cryptography that quantum attacks could eventually weaken. The immediate risk is not that quantum computers break production systems today, but that attackers can harvest encrypted traffic now and decrypt it later. That makes long-lived authentication data and archived transport records a future exposure problem. For banks, the question is not whether to wait for quantum readiness, but how to inventory cryptographic dependencies early enough to migrate without operational disruption. FIDO2 remains relevant, but only if the surrounding cryptographic roadmap is treated seriously.

Practical implication: inventory every cryptographic dependency in authentication flows before migration deadlines become urgent.


Threat narrative

Attacker objective: The attacker aims to convert weak authentication into direct financial access, enabling account takeover and payment fraud.

  1. Entry begins with exposed credentials, credential stuffing, real-time phishing proxies, or social engineering at the help desk, all of which target the banking authentication perimeter.
  2. Escalation happens when an attacker relays an OTP, approves a push prompt, or bypasses recovery controls to obtain account access that looks legitimate to the bank.
  3. Impact is account takeover fraud, unauthorized payment approval, and fraudulent access to digital banking services at scale.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Phishing-resistant banking is now an identity governance problem, not just an authentication problem. The article correctly shows that passwords, SMS OTPs, push approvals, recovery paths, and third-party contracts all sit inside the same control plane. Once regulators expect phishing resistance, the boundary shifts from login design to programme governance across the full identity lifecycle. The implication is that banking IAM teams must own recovery, auditability, and authenticator policy as one architecture.

Shared-secret banking has reached the limit of policy-based control. The article’s strongest point is that attackers do not need to defeat passwords directly when they can exploit the surrounding trust model. SMS, push, and help desk recovery all preserve a relayable trust path that phishing-resistant authentication removes. This is why FIDO2 matters as a structural control, not a cosmetic upgrade. Practitioners should treat any shared-secret dependency as residual fraud exposure.

Post-quantum readiness is becoming an authentication governance issue, not a cryptography side project. Cryptographic agility matters because banking identities depend on long-lived protocols, archived traffic, and third-party dependencies that outlive current algorithm assumptions. That is a lifecycle and assurance problem as much as a crypto problem. The field should stop treating PQC as future-state innovation and start treating it as roadmap discipline for identity infrastructure.

Banking identity programmes need multi-authenticator governance, not single-method purity. The article shows why one authenticator cannot cover every user population, recovery scenario, or regulatory constraint. Retail users, privileged admins, and corporate banking flows have different assurance and recovery requirements. The practical conclusion is that maturity now depends on policy orchestration, exception handling, and evidence generation across multiple authenticators.

Regulatory pressure is accelerating convergence on phishing resistance across regions. PSD3, PSR1, and DORA are pushing institutions toward the same outcome even when the legal language differs. That convergence reduces the value of bespoke authentication exceptions and increases the value of standardised, auditable identity controls. Institutions that delay will face both fraud exposure and weaker supervisory narratives when they are asked to prove why phishing-resistant methods were not deployed.

From our research:

  • 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
  • From our research: Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
  • The banking problem is not isolated to human login hygiene. It is part of the broader identity control shift captured in 52 NHI Breaches Analysis, where weak credential governance repeatedly turns access into exposure.

What this signals

Shared-secret authentication is becoming a liability marker rather than a maturity marker. Banking teams that still depend on passwords, SMS OTPs, or weak recovery paths should expect those dependencies to show up in fraud reviews and supervisory questions. The operational signal is simple: if recovery is weaker than primary authentication, the architecture is still vulnerable.

With 72% of organisations already reporting or suspecting an NHI breach, the wider identity lesson is that access control fails fastest where credentials outlive the trust model built around them, according to The 2024 ESG Report: Managing Non-Human Identities. Banking IAM programmes should read that as a warning about all long-lived credentials, not just customer passwords.

Multi-authenticator governance: the real challenge is not adopting one phishing-resistant method, but proving that every fallback, exception, and recovery path preserves the same assurance intent. That is where audit evidence, policy design, and operational resilience start to converge.


For practitioners

  • Map every password dependency in authentication flows Inventory enrollment, recovery, reset, and help desk paths, not just the primary login journey. Remove any shared-secret dependency that still allows relay, replay, or social engineering to reach account access.
  • Validate phishing-resistant SCA end to end Test whether your implementation supports possession plus inherence or knowledge, then confirm that transaction signing is bound to the payment amount and beneficiary where required.
  • Design multi-authenticator fallback policy Support different authenticator types for retail users, corporate users, branch staff, and privileged administrators so that compliance, usability, and recovery are governed together.
  • Inventory cryptographic dependencies for PQC migration Document which authentication protocols, signatures, and transport controls rely on algorithms that will need transition, then sequence upgrades before archival exposure becomes the main risk.
  • Treat authentication contracts as regulated third-party risk Review ICT supplier terms for availability, incident notification, audit rights, and continuity obligations so authentication services are governed with the same rigor as the rest of the banking stack.

Key takeaways

  • Banking authentication is shifting from shared secrets to phishing-resistant identity controls because passwords, OTPs, and push approvals still enable account takeover.
  • The evidence shows both the fraud problem and the governance problem are already mature, which is why regulators are pushing toward passkeys, dynamic linking, and audit-ready recovery.
  • Institutions that map recovery paths, multi-authenticator support, and cryptographic migration now will be better positioned to absorb PSD3, DORA, and post-quantum requirements later.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST SP 800-63 and NIST CSF 2.0 set the technical controls, while DORA define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST SP 800-63Phishing-resistant authenticators align directly with digital identity assurance guidance.
NIST CSF 2.0PR.AA-01Identity verification and auth governance underpin banking access resilience.
DORAAuthentication services are ICT dependencies that must support resilience, audit, and supplier oversight.

Use phishing-resistant authenticators and harden recovery flows to meet higher assurance expectations.


Key terms

  • Phishing-resistant authentication: Authentication that cannot be replayed, relayed, or phished through a shared secret or interceptable code. In practice, this means binding the credential to the legitimate relying party and using cryptographic proof rather than user-entered secrets.
  • Passkey: A passkey is a FIDO2 credential pair that replaces a password with public-key cryptography. The private key stays on the user device or platform, while the service stores only the public key, reducing exposure to interception and reuse.
  • Dynamic linking: Dynamic linking binds an approval to a specific transaction, usually by tying authentication to the payment amount and beneficiary. It stops a valid login from being reused to authorise a different payment and is a key banking control for stronger customer authentication.
  • Post-quantum cryptography: Post-quantum cryptography uses algorithms designed to resist attacks from quantum computers as well as classical machines. For identity programmes, it is mainly a migration and agility problem, because current authentication dependencies must eventually move to quantum-resistant methods.

What's in the full article

RSA Security's full article covers the operational detail this post intentionally leaves for the source:

  • Step-by-step explanation of how FIDO2 passkeys work in browser and banking flows.
  • Implementation guidance for PSD3 and PSR1 strong customer authentication, including dynamic linking.
  • Practical comparison of synced passkeys, device-bound passkeys, and hardware security keys.
  • Post-quantum roadmap considerations for authentication teams planning cryptographic migration.

👉 RSA Security’s full article includes the passkey architecture, compliance detail, and roadmap questions in one place.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-07-03.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org